#13 NFIDS working?

[Mike Sheinberg]

Hello,

The installation documentation is a little bare on this aspect and I'm trying to trace the code to find the logic here - apologies if I missed something obvious. If this is the wrong avenue to post this, my apologies - please point me to the correct location /mailing group.

I'm pretty sure the IDS functionality is not working for me in my nfsight installation. I say that because I know our network gets scanned all the time and I'm doing nmap scans to try and trigger it as well. I'm sure it's something silly but I've checked the configuration and everything looks good as far as I think it should be. I changed some of the paths to actual folders since I didn't have a ../nfids and what-not.

I know this isn't a ton of information to go on but if someone could throw me a few pointers on what to check to make sure the IDS portion is working that would be much appreciated.

Thanks in advance!
Mike

excerpt from config.php in front-end /nfsight folder

$main_conf = array(
"version" => "nfsight-beta-20110908",
"check_version"=> "1",

//Main application settings
"url_path" => "/nfsight/",
"admin_ip" => array("_"), //List of IP allowed to modify/delete tasks
"crontabip" => "127.0.0.1,::1",
"crontab_script" => array("nfids.php", "aggregate.php", "import_graphlet.php", "email_validation.php"),
"admin_email" => "____",
"admin_name" => "Network Admin",

//Menu settings
"menu" => array(
"Events" => "browse.php",
"Settings" => "setting.php",
"Help" => "help.php",
"Logout" => "index.php?logout"
),

//PHP settings
"max_memory" => "512M",
"timezone" => "America/New_York",

//Display settings
"max_ip" => 25, //To display at once per page
"max_service" => 5, //To display, per IP
"time_window_size" => 40, //Default window of data to display, in number of bins
"time_scale" => "minute", // or day or hour

//IP anonymization:
"anonymous" => 0, //IP anonymization
"ip_key" => array(58,95,7,0), //IP anonymization secret key

//Flow files
"biflow" => "/usr/opt/nfsen/plugins/nfsight-biflow",
"biflow_compressed" => 0,

//MySQL parameter
"sql_host" => "127.0.0.1",
"sql_port" => "3306",
"sql_user" => "nfsight",
"sql_pass" => "6436n47c4ku04Wi",
"sql_db" => "nfsight",
"sql_table" => "server_discovery",
"sql_limit" => 50000,
"expiration_min" => 30, // days
"expiration_hour" => 52, // weeks
"expiration_day" => 60, // months

//Backend setting
"path" => "/usr/opt/nfsen/plugins/nfsight",
"expiration" => "180", // Number of days before backend log data files get removed
# Network ranges (to define internal vs. external end points)
"network" => array("__/16"),
# Services detection:
"scannerlimit" => "5",
# Services output:
"print_int_scanner" => "1",
"print_ext_scanner" => "1",
"print_int_client" => "1",
"print_ext_client" => "0",
"print_int_server" => "1",
"print_ext_server" => "1",
"print_int_invalid" => "1",
"print_ext_invalid" => "0",

//Nfids parameter
"nfids_file_folder" => "/usr/opt/nfsen/plugins/nfsight-nfids",
"nfids_file_prefix" => "ip.",
"nfids_report_threshold" => 20,
"nfids_time_threshold" => 43200,
"nfids_min_low_priority" => -1,
"nfids_min_medium_priority" => 50,
"nfids_min_high_priority" => 100,
"nfids_label_malformed" => "Nfids: Malformed",
"nfids_label_manytoone" => "Nfids: Many-To-One IP",
"nfids_label_onetoone" => "Nfids: One-To-One IP",
"nfids_label_onetomanyip" => "Nfids: One-To-Many IP",
"nfids_label_onetomanyport" => "Nfids: One-To-Many Port",
"nfids_report_malformed" => 1,
"nfids_report_manytoone" => 1,
"nfids_report_onetoone" => 1,
"nfids_report_onetomanyip" => 1,
"nfids_report_onetomanyport" => 1,

//Welcome message on the login page:
"welcome_message" => "This website is the front-end of a network visualization application called Nfsight. It works on top of Netflow and provides an interface to:

• Understand network activity,
  
• Identify the population of servers hosting a given service,
  
• Detect rogue servers and malicious activity.
  

For more information, please visit http://nfsight.sourceforge.net"

);
?>

[Robin]

That's right, Nfids is still an early prototype not yet shipped with the Nfsight tarball. I'm working on it and will try to release a new version including Nfids over the next few weeks.

[Anonymous]

Would be great to get nfids up and running. any news on the new version?